CVE-2025-12390
Org.keycloak.protocol.oidc.endpoints.logoutendpoint: offline session takeover due to reused authentication session id
A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user.
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Productos afectados
Keycloak · keycloakRed Hat · Red Hat build of Keycloak 26.2Red Hat · Red Hat build of Keycloak 26.2.11Red Hat · Red Hat build of Keycloak 26.4Red Hat · Red Hat build of Keycloak 26.4.4¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://access.redhat.com/errata/RHSA-2025:21370https://access.redhat.com/errata/RHSA-2025:21371https://access.redhat.com/errata/RHSA-2025:22088https://access.redhat.com/errata/RHSA-2025:22089https://access.redhat.com/security/cve/CVE-2025-12390https://bugzilla.redhat.com/show_bug.cgi?id=2406793https://github.com/keycloak/keycloak/issues/43853